Security in the Slow Lane

By CIOinsight |
Posted 08-22-2003

The rising cyber-security risk, combined with the recent Sarbanes-Oxley law requiring companies to deliver greater information security and integrity, are forcing companies to retool operations-but it's hard for companies to make the necessary trade-offs between competing, conflicting demands for greater security, lower costs and faster operations. Mark Doll, digital security services director for the Americas at Ernst & Young, talks to CIO Insight Executive Editors Marcia Stepanek and Ed Baker about the trade-offs companies will need to make when trying to figure out the best new ways to re-engineer for security.

Doll: I actually don't think the largest challenge of security are technical issues. I think people have historically spent about 80 percent on technology, about 10 percent on people, and 10 percent on process. I think it should be the reverse. I think it should be more like 40/40/20. In fact, if you just took all the uninstalled security software and just tried to install it, you'd have a lot better security than you have today because a lot of the functionality goes unused because you're trying to get an application to run quickly. Speed is one of the first things to go, or you take on more business risk-or you have a tendency not to have the time and investment on the process and training issue, and so these security tools don't get used for those reasons, either.

How much more important has it become for companies to make these trade-offs? People want to talk about it now. Board level people want to talk about it, the CIOs want to talk about it, CEOs want to talk about it, directors of internal audit want to talk about it more and understand where their position is-and all much more than ever before.

Why? I think a lot has to do with the new federal regulations; a lot of it has to do with homeland security. I think recent, large virus and cyber-worms events has kind of made it a bigger issue as well.

How much of this new awareness is due to CEOs reading scary articles in The New York Times? Isn't corporate security really just a matter of how many locks you want to put on your door and how inconvenient it is to have to turn all those locks every time you want to go in and out and how expensive it is to install those locks?

Yeah, no one just buys a home alarm system on a Tuesday afternoon thinking it would be interesting. You either buy the alarm with the house, or you get robbed and then you buy it. Or your neighbors get robbed and you think you're next. You have all those dynamics of security that go on, and you read an article, and it scares you because you think you're next or so on and so forth. And I think a lot of buying is that way. I think a Wall Street Journal article about a competitor of yours or your company is almost an instantaneous million-dollar spend on security products. If it's Twiddle Blade , you might spend $100,000. The Wall Street Journal, maybe that's a million dollars. Because you have a reactionary effect. It's kind of human nature that says I'm going to stop whatever happened to me from ever happening again, if you will, and a lot of purchasing is that way.

So fear hype is good for business

I wouldn't call it good for business, but it's good for transactions.

What's the difference?

Well, a long-term account-the kind in which you have a long-term relationship with a company, for which you're systemically reducing every new risk that comes up for them-is the kind of account that most people are looking for. Fear and uncertainty means some companies eventually find it very hard to understand why they implemented something. Fear and hype investments are very hard for clients to manage because management doesn't even know why they're implementing something. To really counter today's security threat, you need to understand that real risks are growing dramatically, but yet also understand that there isn't a systemic change in behavior on how to manage down those systemic risks. Think about the IT spend in the 90s and think about how many routers, servers, IP, open devices that were installed, and think about the security industry during that decade. It was more or less nonexistent. There was a free game. I got bandwidth, I got full access to my customers, and all I had to do is buy these cheaper devices than I had before because they were point-to-point. I reduced my telco costs, and I got better access, and it was a free game. So you have all of those devices out there with no real defense mechanism on them. Logic kind of tells you things got worse. The risk got worse.

Now, if you look at the number of vulnerabilities that are coming up, the number of ways that we can exploit systems, there are thousands of them. We used to have to work hard to break into a company, and we are now able to crack through security of the majority of companies that we do attack-and-penetration exercises on. The picture is getting worse. Reports now are not one or two weaknesses-there are 20, 30, 400 weaknesses to security at a company. We don't publicly disseminate our clients' weaknesses, but we can track the number of problems they have, and where they have the most problems. I mean, just think about the number of (software) patches that a typical company has to install today on a weekly basis versus three years ago-main op center, you had your three patches, you put them on the board. Now you can't fit the number of patches on the board that you have to get tested for production this week. Many of those are security violations. Each one of the patches that come out, we're trying to work out the problem with the patch. We'll have two or three vulnerabilities on a patch before anybody gets the patch installed as we're informing our clients of that. Although I can't give you a statistical regression of it getting worse, I'll tell you empirically, just looking out there, it's getting a lot easier to get in.

Given this increase in that kind of risk, has there also been a concomitant increase in the kinds of attacks that all the security is designed to combat?

Well, yes. I think historically right now the big viruses, big worms, big attacks that are going on are generally at the level of infrastructure or operating systems. And everybody's been battening down the hatches on infrastructure and operating systems, maybe some Web services, maybe, depending if you're a financial institution or you're an automobile producer or a widget producer. If you're a widget producer, you might not even protect your operating systems. If you're a financial institution, you're probably battening down your Web services, but that is probably also going to decrease productivity, create operational issues and throw open to question who can get access to what. Security is not a productivity game. Battening down the hatches, you talk about this ROI that everybody calculates. You put more of this security in, and what do you get? More restrictions, more barriers to compete, and it's counter to this open kind of architecture. I think the real problem that CIOs have to deal with is that they have to get access, availability, productivity up while getting better security. That's harder to do. You can't do everything for all the right people. Shutting down your link between Ernst & Young and every other supplier you have-just because they could give you a virus-is not feasible, is it? Yet we got the Slammer virus, and we got it from a trusted link. Should we shut down some of the aspects of our operation to a trusted supplier? Maybe, but we need to have access to that trusted supplier. We can't just say, oh, I guess we won't provide service for the next two days.

Well, so what are you saying? Can you have decent security without some productivity loss?

There are trade-offs. And there are bigger trade-offs the lower you go in the OSI model, if you will. If you have to shut down all the servers, you're affecting a whole series of people that would use that server. If you're at the application level, you can say, hey, I got this application and this transaction to go here, and that minimizes the productivity loss, if you will. Now the problem is that millions and millions of lines of custom code have a ton of security problems. A year ago, CIOs knew they had buggy software but they did not have control objectives with functional objectives. Sarbanes-Oxley comes in, all this regulation comes in, you're a financial services company, the FFIEC puts new guidelines down that says you have to have control and security at the applications line level and you have to do source code testing at each one of these things. Now a whole new series of performance metrics have arrived. Because before they had functionality, and today I think they have control, stability, predictability on their systems. I tell you, if you were a CIO, no one asked you in 1998, jeez, how many bugs per line or per thousand lines or a million lines did you have? No, instead the questions were more likely to be, Did I get my transactions booked? Did I get my revenue stream in? I got the business to the Web and I got it very, very quickly to the Web, and that's how CIOs were measured on performance.

What else has changed?

Now we're seeing security clauses being written into outsourcing contracts. There are performance incentives on security controls. Example: I need to be able to patch my servers in four hours or in one week from the time there is a security violation. Before, you'd never have that in the scenario. The application could have run well, and then the patch needed to go in, but was it for security reasons, was it for control reasons, was it for what I'll call overall control of the application? There's no incentives like that in most of the contracts. Now it says, hey, does it affect uptime? Security could affect uptime, but it's a pretty indirect measure. We see a lot more things being put into these contracts that are specific to security.

Who inside the company is driving these new types of contracts, typically?

Well, it depends on the type of company, but I think you're seeing that it's the CIO who is driving most of this into the contracts. Some of them are pressured by the director of internal audit. Some of them are pressured by the people that look at the regulatory requirements. But you really have to be in the energy utility business or the financial service industry to feel the pressure from regulators really focusing on security.

Is there a rush to renegotiate these contracts?

What I see people doing is I see that their outsources are, they're putting corporate specs on security. They had new governance policies after 9/11. They said here's our policy guidelines, they handed them over to the outsourcer, and the outsourcer said, whoa, that'll be an extra so many million, I'd say a hundred million dollars for those policy changes, and that's driving the negotiation for what the fees for that policy would be.

And companies are willing to pay extra for that?

Well, to a certain extent they are. Now the question is, will I get away with silver security or bronze security, and maybe my policies were too aggressive in this? And we see them negotiating on both sides. A little more on the outsourcing, little less on this aggressive policy, and then coming to some happy medium that's somewhat budget-influenced, if you will. So I think it goes a little bit both ways to that end. Ultimately, though, you have to reengineer the whole way an organization systemically thinks about risk. It's a cultural issue, not a technology issue. And so you have to think of how you evaluate people. You've got to think about how the business processes work to reengineer, to your point. And I do see a lot of people doing this piecemeal, and they ask me, do any of our competitors have application intrusion detection, and we go, yeah, these three guys we know do it for critical applications. Okay, we're going to buy some of that, too. Because we don't want to be the only person on the block that doesn't have some of that. Because when we do have a situation, and I have to go stand up in front of the press and say, hey, we looked across your industry, we looked at the leading edge tools, we installed them all that we thought were appropriate. They didn't say, hey, I changed the holistic way I look at risk, I've done education and training. They say I patched this bigger problem with this much stuff, but it's all the stuff that everybody else did. We're hard-pressed to find a lot of clients that have changed to the more holistic approach to security. The entertainment industry is ahead on this, as one example. Those companies seem to have a board of directors that get all this, and they're looking for a very holistic solution and are not eager to put in technology until they have all the process and communications and how this is going to work come together. The regulated industries, like financial services, utilities and so forth, appear to be very focused on meeting their regulations. The financial services companies have struggled with a lot of reputational issues over the last two years, and the last thing they want is to say I have my customers' confidential records released, or that this transaction was disclosed.

I think there's a triple witching hour going on with regard to security-and for all companies, really. I think the full effect of that hasn't taken place yet. You have a series of privacy laws like California Senate Bill 1386, the Gramm-Leach-Bliley Act and HIPAA, and so you get this privacy push, and that's confidential information and all those other components, and that's what's driving a certain amount of legislation. Then you've got homeland security which says, hey, this is for the good of the country, and then you've got all these government expenditures that may or may not ever hit to some component, and you see homeland security lobbying large financial institutions, software companies, other things for the good of America to change their behaviors. Then you've got Sarbanes-Oxley, which now says you've got to sign for the integrity of your financial data, and if you don't sign, or if the integrity is not there, then you can go to jail.

And so you have these three independent drivers where legislation is coming out in privacy or homeland security and Sarbanes-Oxley, and the CIO is in the middle of all of this. And since the CIO is generally in charge of all the change management on the process side of the organization, and is in charge of securing how the organization reacts to how we process stuff, I think that increasingly, the CIO is going to be under this pressure. Not yet maybe, but that's where I think the future's going.

How do you see the role of the CSO?

I wish there were more CSOs with more power than CIOs in an organization, but we're not seeing that. CSOs might report up higher, but you take a dweebie guy from four levels down, you put in a CSO, the CIO still has the influence and power of management. We're not seeing this predominantly, but I'll tell you that we do not see the power structure of the organization dramatically switching. I would say top management definitely wants to be both perceived and in a real terms improve the overall security because that's what their board of directors are telling them to do, to fix this security problem. And they're pushing that down to the CSOs, they're empowering them more than they ever did before, but you still have a person in a large financial institution that controls $3 billion or $4 billion worth of spend. He's done it for a number of years. Change is occurring, so I don't think security is all lip service, but does it change overnight and has there been a dramatic event to force it to change overnight? I don't think I've seen that yet.

What about the relationship between the CSO and the CIO?

Many of the CSOs report on the digital side to the CIO. That's still the prevalent structure. And even if there's a CSO, l the implementation of digital security and IT security still rests with the CIO.

Isn't that like the fox watching the chicken?

Absolutely. Companies really must have CSOs with real power in the organization in order to change the status quo on security. I think you're going to see a lot more of that with Sarbanes-Oxley because, in essence, you want to be perceived above reproach and you want to make sure that chain of command is above reproach, too. Now you have to sign off that there can be no material error in your business and financial reporting procedures. A lot of these Web-based applications that are now in to support transactions? They went in awfully quick. Awfully quick. I put a lot of systems in production, but a lot of these systems went very quickly into production. And a lot of application developers will tell you how you get systems into production quickly. You cut off many of the control procedures so you can get it up and running, and then what your strategy is, you're going to put those control procedures in afterwards.

People rush because of timing, because of business requirements, because this version needed to be out by this date because of whatever, press releases going out at that date. If this situation is not scaring CIOs right now, I think it should. Forget security if anybody can get in and mess with things. And then there's this situation: CEOs are not saying to CIOs, 'Fix the security, fix the controls.' What they're saying to them is, 'Give me all the productivity and fix the controls, and, by the way, give me 10 percent off the budget.' That's what they're saying, I think. That puts the CIO in a catch-22. I think the most successful CIOs, the ones who will be on the cover of magazines five years from now, six years from now, will be the people who had the most controlled organizations, the most secure organizations. They're not going to be the CIOs who said, 'I slammed in seven applications in six months, look how fast I am.' They're not going to be the CIOs who said, 'I moved all my production offshore and saved 22 cents.' I think the leaders among CIOs in the future will be those who made the right trade-offs when it comes to security. It's not about innovation any more. It's all about control.